Overview

This article will help you detect, locate, and remove spyware that has installed itself onto your computer.

Spyware Doctor: How to Combat Spyware

After spyware has installed itself, there are three distinct investigative steps to resolve the problem:

• Location: Sometimes computers misbehave at random for reasons other than spyware. Installing new drivers, running a new application, or even getting a virus can cause a computer to misbehave. All of these are problems that need resolving, but spyware diagnosis techniques won't help.
• Diagnosis: You've located a suspicious Registry entry or an unusual executable file, but how do you know what to do next?
• Removal: After you know the type of spyware affecting your computer, you can begin the removal process.

How do you know if your computer has been affected by spyware? If Browser toolbars and other BHOs appear, your browser home page is changed, or you can't access your Web browser configuration settings, then it is likely.

Step 1: Location

The easiest way to locate hidden spyware is to investigate the mechanisms spyware uses to hide and do its work. An easy way to verify communication is occurring is to view all of the current, active network connections on your computer using Active Ports. Active Ports is an essential tool that lists all incoming and outgoing connections for all the active network connections, such as your Internet dial-up or broadband connection.

Another favorite spyware trick is to fill up your hosts file with invalid entries for valid Web sites. When you type a URL (Uniform Resource Locator) into your Web browser, such as http://www.cnet.com, the Windows network stack uses various methods to resolve the FQDN (Fully Qualified Domain Name, for example www.cnet.com) into an IP address.

If spyware is running, it will invariably show up as a process on your computer. Fortunately, the filenames and Registry keys used by all but the newest spyware are well known -- thanks to the efforts of antispyware researchers.

Step 2: Diagnosis

The next step in the process is to make a final diagnosis. Fortunately, there are plenty of great antispyware utilities available, most of them free. Spybot is an all-purpose antispyware tool, and has been voted both CNET Best Anti-Spyware utility and one of the CNET Top 10 programs on Download.com. It can fix both Web browser-based spyware and application-based spyware, as well as remove usage tracks from applications and immunize your computer against future infection.

HijackThis is an interesting antispyware tool in that instead of attempting to detect rogue applications as Spybot does, it targets the methods used by spyware to infect a computer. This means that it will find and list absolutely every program using these methods, regardless of legitimacy. As you learned in Lesson 1, spyware often uses the same features and flaws that legitimate applications use to provide their functionality.

Although Spybot may have given you a list of the spyware it found, you shouldn't just jump straight in and remove it. Some spyware masquerades as a different type of spyware, and incorrect detection doesn't result in correct removal. The mantra for this stage is search, search, search again, and search a little bit more to be sure.

Although Internet Explorer zones aren't a reliable security mechanism, they do provide some protection. Place the Web sites you know and trust into the Trusted Sites zone, and increase the security on the Internet zone. Internet Explorer uses the Internet zone for any Web site that isn't listed in one of the other zones; therefore, its security settings apply to the majority of sites you visit. As a minimum, make sure all the ActiveX and Active Scripting features are disabled. If practical, consider switching to another Web browser such as Firefox.

Step 3: Removal

Although antivirus software isn't designed to catch spyware, most desktop packages catch the methods spyware uses to infect your computer. This mainly happens through the Web browser cache -- when your browser downloads a Web page and stores it on disk, antivirus software intercepts the page as it's stored and analyzes it for viruses. Many JavaScript security exploits are categorized as viruses, so your antivirus software can also act as a warning system. GriSoft AVG is an excellent free antivirus suite.

Spybot can immunize your system against spyware. By setting various Registry keys and creating dummy files, Spybot immunization can fool a significant amount of spyware into thinking it's already installed, preventing it from really infecting your computer. Spybot also includes a BHO that watches Web page requests within Internet Explorer. If it detects an attempt to load a known adware-based usage tracker, it will prompt you whether you want to allow it to continue.

Spyware is a nasty trend that needs to be stopped immediately, but it does have an upside. One of the most interesting and challenging areas of research is trapping, analyzing, and defeating new spyware. We all rely on the dedication of the people who do this work for free, making it possible for everyone else to remove and avoid spyware.

Most researchers start with a dedicated computer that has a basic installation of Windows, as well as a few common antispyware tools. They then take a snapshot of the operating system using a setup wizard creation tool (for example, Masai Editor), and then deliberately infect the computer with the spyware target. The setup tool is run again, and produces a difference file that lists all the changes that occurred since the previous snapshot. This immediately allows the researchers to understand what changes the spyware has made.